Skip to content

ClusterSync target user reconcile re-applies password and roles on every reconcile #2430

Description

@ChaoHuang2018

Hi Percona Server for MongoDB Operator maintainers,

While looking at the ClusterSync target-user reconcile path, I noticed that the existing-user branch appears to run MongoDB updateUser commands on every reconcile, even when the target user already matches the desired state.

The flow is:

I saw the design note that the controller re-applies the password and roles on every reconcile to heal drift after CR/Secret recreation. That makes sense for recovery, but the current implementation also means a steady-state reconcile seems to perform two MongoDB admin writes even when nothing changed.

A possible steady-state sequence is:

ClusterSync CR already created
<cr>-pcsm-target-user Secret already exists
target MongoDB user already exists with the Secret password and desired roles

next reconcile:
  GetUserInfo finds the target user
  UpdateUserPass runs updateUser with pwd
  UpdateUserRoles runs updateUser with roles

if either updateUser command has a transient failure:
  ensure sync target user fails
  reconcile surfaces the error in ClusterSync status

Would it be possible to make the steady-state path avoid no-op writes? For example:

  • compare the roles returned by GetUserInfo and skip UpdateUserRoles when they already match;
  • only re-apply the password when the target-user Secret was newly created, recreated, or otherwise marked as changed;
  • or document that repeated password/role reapplication is intentionally required and expected to be safe on every reconcile.

The main concern is avoiding unnecessary MongoDB admin writes and avoiding transient updateUser failures from blocking ClusterSync when the target user already appears converged.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions